Banks maintain no hacking involved

By JP LOPEZ

June 22, 2017

Bank of the Philippine Islands and Banco de Oro Unibank, two of the country’s biggest lenders, yesterday reiterated it was “human error” and skimming, respectively, and not hacking, that caused disorder among accounts of their depositors.

Speaking before the Senate committee on banks, financial institutions and currencies, BPI president and CEO Cezar Consing said there was no breach of data privacy when the glitch was discovered and affected 1.5 million of their 8 million bank clients.

“Our investigation revealed that ours was a case of human error and not hacking. We also informed our regulators that there was no breach of data privacy,” Consing told senators at the onset of the Senate investigation.

On June 6, BPI officials reported an internal data processing error that resulted in unauthorized postings of deposits and withdrawals.

The internal glitch only affected automated teller machines, cash acceptance machines, and point of sale systems. BPI had to disable electronic transactions for two days.

“To fix the problem, we had to take down our electronic channels. Basically these are services related to our ATM cards, internet banking, mobile banking. We took them down for a period of 26 hours spread over a period of 37 hours,” he said.

Ramon Jocson, executive vice president for enterprise services group of BPI who was also present in the hearing, said a female specialist had entered a wrong file in the system.

“Instead of May 26 to May 29, she entered April 27 to May 2 in our system. In effect, all transactions from April 27 to May 2were doubled,” he said.

Jocson said the programmer processed the transactions immediately before sending a request for approval from her supervisor.

“What she did was maybe because of expediency,” he said.

The bank executive did not identify the programmer but said she had been reassigned to another department while the fiasco is under investigation.

Senate Minority Leader Franklin Drilon asked if the June 7 glitch was a clear error of judgment on the part of the specialist, the bank official answered in the affirmative.

“I was a programmer once, I was young once…and this particular person has been (with us for three years). She topped her programming class so

there’s always the zeal to do things faster. So I attribute this, your honor, to a lapse in judgment,” Jocson said.

Jocson pointed out “no money was lost” in the glitch.

When asked by panel chair Sen. Francis Escudero if BPI was 100 percent sure that its system was not hacked, Jocson said: “Your honor a hundred percent definite it was not a hack.”

Escudero called for a hearing after BDO issued a statement last Friday that its ATMs were potentially compromised, more than a week after the BPI incident.

The clients of BDO noted there were unauthorized withdrawals from their accounts.

According to the bank’s initial report to the Bangko Sentral ng Pilipinas (BSP), the incident was caused by a “localized skimming attack.”

Jocson said the BPI, to prevent the skimming attack, has a cyber security operations center where circuit breakers were installed.

He said if the system detected “extra-volume transactions,” the automated process will stop for 10 minutes and would resume only if there is nothing irregular in the transactions.

To prevent such skimming, the BSP in 2014 instructed all financial institutions to equip issued cards—ATM, debit and credit cards—with EMV (which stands for Europay, Mastercard and Visa) chips and has extended the deadline to June 30, 2018 from the original January 1 of this year.

Failure to do so will subject BSFIs to monetary sanctions provided under relevant provisions in the Manual of Regulations for Banks and Manual of Regulations for Non-Bank Financial Institutions .

To raise awareness as well as manage customers’ expectations on the replacement of their payment cards, BSFIs should intensify their public awareness programs leveraging on all available communication channels. The information should clearly indicate the date when EMV cards are available and ready for pick-up by their clients as well as the related procedures for replacing magnetic strip cards and distributing EMV-compliant cards.

Industry estimates show that there are around 15 million Filipino ATM card holders and 6 million credit and debit card holders.

EMV is now a global standard for credit and debit payment cards based on chip card technology with issuance now totaling 1.55 billion worldwide.

These chip-based payment cards, also known as smart cards, contain an embedded microprocessor, a type of small computer. The microprocessor chip contains the information needed to use the card for payment, and is protected by various security features.

EMV chip-enabled cards are considered as a more secure alternative to traditional magnetic stripe payment cards.

Column of the Day

‘The Foreign Corrupt Practices Act of 1977 (FCPA) (15 U.S.C. § 78dd-1, et seq.) is a United States federal law known primarily for its main provision: Against bribery of foreign countries’ food management officials.’

Related News

About Malaya

Malaya Business Insight's weekday sections treat readers to timely articles on shipping, banking, information and technology, automotive and motoring, real estate and property development, travel and tourism and people and sectoral events. Special issues and supplements are designed to enrich current information and data files of readers with pre-selected topics of national and local significance.